-
Notifications
You must be signed in to change notification settings - Fork 246
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASB - Security Patch integration September 2023
Tracked-On: OAM-111936 Signed-off-by: Reddy, Alavala Srinivasa <[email protected]>
- Loading branch information
Showing
21 changed files
with
2,522 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 35 additions & 0 deletions
35
...works/av/25_0025-Fix-Segv-on-unknown-address-error-flagged-by-fuzzer-test-.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| From 9f042d16d4d51b0a87a0a89c78c2e2a9a7e3b544 Mon Sep 17 00:00:00 2001 | ||
| From: Shruti Bihani <[email protected]> | ||
| Date: Thu, 6 Jul 2023 08:41:56 +0000 | ||
| Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test. | ||
|
|
||
| The error is thrown when the destructor tries to free pointer memory. | ||
| This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error. | ||
|
|
||
| Bug: 245135112 | ||
| Test: Build mtp_host_property_fuzzer and run on the target device | ||
| (cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c138d20635694857754f2b7de2342089de13d556) | ||
| Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580 | ||
| Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580 | ||
| --- | ||
| media/mtp/MtpProperty.h | 3 +++ | ||
| 1 file changed, 3 insertions(+) | ||
|
|
||
| diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h | ||
| index 36d736065f..2bdbfd3262 100644 | ||
| --- a/media/mtp/MtpProperty.h | ||
| +++ b/media/mtp/MtpProperty.h | ||
| @@ -26,6 +26,9 @@ namespace android { | ||
| class MtpDataPacket; | ||
|
|
||
| struct MtpPropertyValue { | ||
| + // pointer str initialized to NULL so that free operation | ||
| + // is not called for pre-assigned value | ||
| + MtpPropertyValue() : str (NULL) {} | ||
| union { | ||
| int8_t i8; | ||
| uint8_t u8; | ||
| -- | ||
| 2.41.0.585.gd2178a4bd4-goog | ||
|
|
590 changes: 590 additions & 0 deletions
590
...s/base/99_0183--DO-NOT-MERGE-Update-quickshare-intent-rather-than-recreati.bulletin.patch
Large diffs are not rendered by default.
Oops, something went wrong.
50 changes: 50 additions & 0 deletions
50
...eworks/base/99_0184-Ignore-virtual-presentation-windows-RESTRICT-AUTOMERGE.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| From 412d9b6ab47950f4a932d296636c2510efe1b4aa Mon Sep 17 00:00:00 2001 | ||
| From: Achim Thesmann <[email protected]> | ||
| Date: Tue, 23 May 2023 00:26:33 +0000 | ||
| Subject: [PATCH] Ignore virtual presentation windows - RESTRICT AUTOMERGE | ||
|
|
||
| Windows of TYPE_PRESENTATION on virtual displays should not be counted | ||
| as visible windows to determine if BAL is allowed. | ||
|
|
||
| Test: manual test, atest BackgroundActivityLaunchTest | ||
| Bug: 264029851, 205130886 | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf60a0c6f153a55714d4879bb6cf5b239381a22a) | ||
| Merged-In: I08b16ba1c155e951286ddc22019180cbd6334dfa | ||
| Change-Id: I08b16ba1c155e951286ddc22019180cbd6334dfa | ||
| --- | ||
| .../core/java/com/android/server/wm/WindowState.java | 12 ++++++++++-- | ||
| 1 file changed, 10 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/services/core/java/com/android/server/wm/WindowState.java b/services/core/java/com/android/server/wm/WindowState.java | ||
| index 9a71d8b050d6..09fd71412fea 100644 | ||
| --- a/services/core/java/com/android/server/wm/WindowState.java | ||
| +++ b/services/core/java/com/android/server/wm/WindowState.java | ||
| @@ -3532,8 +3532,12 @@ class WindowState extends WindowContainer<WindowState> implements WindowManagerP | ||
| // apps won't always be considered as foreground state. | ||
| // Exclude private presentations as they can only be shown on private virtual displays and | ||
| // shouldn't be the cause of an app be considered foreground. | ||
| - if (mAttrs.type >= FIRST_SYSTEM_WINDOW && mAttrs.type != TYPE_TOAST | ||
| - && mAttrs.type != TYPE_PRIVATE_PRESENTATION) { | ||
| + // Exclude presentations on virtual displays as they are not actually visible. | ||
| + if (mAttrs.type >= FIRST_SYSTEM_WINDOW | ||
| + && mAttrs.type != TYPE_TOAST | ||
| + && mAttrs.type != TYPE_PRIVATE_PRESENTATION | ||
| + && !(mAttrs.type == TYPE_PRESENTATION && isOnVirtualDisplay()) | ||
| + ) { | ||
| mWmService.mAtmService.mActiveUids.onNonAppSurfaceVisibilityChanged(mOwnerUid, shown); | ||
| } | ||
| if (mIsImWindow && mWmService.mAccessibilityController != null) { | ||
| @@ -3541,6 +3545,10 @@ class WindowState extends WindowContainer<WindowState> implements WindowManagerP | ||
| } | ||
| } | ||
|
|
||
| + private boolean isOnVirtualDisplay() { | ||
| + return getDisplayContent().mDisplay.getType() == Display.TYPE_VIRTUAL; | ||
| + } | ||
| + | ||
| private void logExclusionRestrictions(int side) { | ||
| if (!logsGestureExclusionRestrictions(this) | ||
| || SystemClock.uptimeMillis() < mLastExclusionLogUptimeMillis[side] | ||
| -- | ||
| 2.41.0.585.gd2178a4bd4-goog | ||
|
|
31 changes: 31 additions & 0 deletions
31
.../base/99_0185-Update-AccountManagerService-checkKeyIntentParceledCorrectly.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| From 9d4a401222fe5ef9e9fc4a07de5f82ce920f2d31 Mon Sep 17 00:00:00 2001 | ||
| From: Dmitry Dementyev <[email protected]> | ||
| Date: Fri, 30 Jun 2023 14:36:44 -0700 | ||
| Subject: [PATCH] Update AccountManagerService checkKeyIntentParceledCorrectly. | ||
|
|
||
| Bug: 265798288 | ||
| Test: manual | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b117b506ec0504ff9eb2fa523e82f1879ecb8cc1) | ||
| Merged-In: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb | ||
| Change-Id: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb | ||
| --- | ||
| .../com/android/server/accounts/AccountManagerService.java | 3 +++ | ||
| 1 file changed, 3 insertions(+) | ||
|
|
||
| diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java | ||
| index c0aa36a0fb77..215bd2b02cc7 100644 | ||
| --- a/services/core/java/com/android/server/accounts/AccountManagerService.java | ||
| +++ b/services/core/java/com/android/server/accounts/AccountManagerService.java | ||
| @@ -4923,6 +4923,9 @@ public class AccountManagerService | ||
| Bundle simulateBundle = p.readBundle(); | ||
| p.recycle(); | ||
| Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); | ||
| + if (intent != null && intent.getClass() != Intent.class) { | ||
| + return false; | ||
| + } | ||
| Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); | ||
| if (intent == null) { | ||
| return (simulateIntent == null); | ||
| -- | ||
| 2.41.0.585.gd2178a4bd4-goog | ||
|
|
116 changes: 116 additions & 0 deletions
116
.../base/99_0186-Forbid-granting-access-to-NLSes-with-too-long-component-name.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| From 54959a7d14b311d4ae3032470d68e68e4e499a6f Mon Sep 17 00:00:00 2001 | ||
| From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= <[email protected]> | ||
| Date: Thu, 15 Jun 2023 18:31:34 +0200 | ||
| Subject: [PATCH] Forbid granting access to NLSes with too-long component names | ||
|
|
||
| This makes the limitation, which was previously only checked on the Settings UI, enforced everywhere. | ||
|
|
||
| Fixes: 260570119 | ||
| Fixes: 286043036 | ||
| Test: atest + manually | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a40b0b3a17658af16922b4ba99ccc4258af89f5) | ||
| Merged-In: I4c25d80978cb37a8fa1531f5045259d25ac64692 | ||
| Change-Id: I4c25d80978cb37a8fa1531f5045259d25ac64692 | ||
| --- | ||
| .../java/android/app/NotificationManager.java | 6 +++++ | ||
| .../NotificationManagerService.java | 5 ++++ | ||
| .../android/server/vr/VrManagerService.java | 6 ++++- | ||
| .../NotificationManagerServiceTest.java | 25 +++++++++++++++++++ | ||
| 4 files changed, 41 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/core/java/android/app/NotificationManager.java b/core/java/android/app/NotificationManager.java | ||
| index ccf1edb3fecc..d6835e31bab1 100644 | ||
| --- a/core/java/android/app/NotificationManager.java | ||
| +++ b/core/java/android/app/NotificationManager.java | ||
| @@ -561,6 +561,12 @@ public class NotificationManager { | ||
| */ | ||
| public static final int BUBBLE_PREFERENCE_SELECTED = 2; | ||
|
|
||
| + /** | ||
| + * Maximum length of the component name of a registered NotificationListenerService. | ||
| + * @hide | ||
| + */ | ||
| + public static int MAX_SERVICE_COMPONENT_NAME_LENGTH = 500; | ||
| + | ||
| @UnsupportedAppUsage | ||
| private static INotificationManager sService; | ||
|
|
||
| diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java | ||
| index 7cc05765e9c8..dea8c52927fe 100755 | ||
| --- a/services/core/java/com/android/server/notification/NotificationManagerService.java | ||
| +++ b/services/core/java/com/android/server/notification/NotificationManagerService.java | ||
| @@ -5381,6 +5381,11 @@ public class NotificationManagerService extends SystemService { | ||
| boolean granted, boolean userSet) { | ||
| Objects.requireNonNull(listener); | ||
| checkNotificationListenerAccess(); | ||
| + if (granted && listener.flattenToString().length() | ||
| + > NotificationManager.MAX_SERVICE_COMPONENT_NAME_LENGTH) { | ||
| + throw new IllegalArgumentException( | ||
| + "Component name too long: " + listener.flattenToString()); | ||
| + } | ||
| if (!userSet && isNotificationListenerAccessUserSet(listener)) { | ||
| // Don't override user's choice | ||
| return; | ||
| diff --git a/services/core/java/com/android/server/vr/VrManagerService.java b/services/core/java/com/android/server/vr/VrManagerService.java | ||
| index b296ef2a1443..1ff01a6c70bf 100644 | ||
| --- a/services/core/java/com/android/server/vr/VrManagerService.java | ||
| +++ b/services/core/java/com/android/server/vr/VrManagerService.java | ||
| @@ -1049,7 +1049,11 @@ public class VrManagerService extends SystemService | ||
|
|
||
| for (ComponentName c : possibleServices) { | ||
| if (Objects.equals(c.getPackageName(), pkg)) { | ||
| - nm.setNotificationListenerAccessGrantedForUser(c, userId, true); | ||
| + try { | ||
| + nm.setNotificationListenerAccessGrantedForUser(c, userId, true); | ||
| + } catch (Exception e) { | ||
| + Slog.w(TAG, "Could not grant NLS access to package " + pkg, e); | ||
| + } | ||
| } | ||
| } | ||
| } | ||
| diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java | ||
| index a3c8cfabd3c5..2dff80ece44a 100755 | ||
| --- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java | ||
| +++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java | ||
| @@ -76,6 +76,7 @@ import static junit.framework.Assert.assertNull; | ||
| import static junit.framework.Assert.assertTrue; | ||
| import static junit.framework.Assert.fail; | ||
|
|
||
| +import static org.junit.Assert.assertThrows; | ||
| import static org.mockito.ArgumentMatchers.isNull; | ||
| import static org.mockito.Matchers.anyBoolean; | ||
| import static org.mockito.Matchers.anyLong; | ||
| @@ -3146,6 +3147,30 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { | ||
| any(), anyInt(), anyBoolean(), anyBoolean(), anyBoolean()); | ||
| } | ||
|
|
||
| + @Test | ||
| + public void testSetListenerAccessForUser_grantWithNameTooLong_throws() { | ||
| + UserHandle user = UserHandle.of(mContext.getUserId() + 10); | ||
| + ComponentName c = new ComponentName("com.example.package", | ||
| + com.google.common.base.Strings.repeat("Blah", 150)); | ||
| + | ||
| + assertThrows(IllegalArgumentException.class, | ||
| + () -> mBinderService.setNotificationListenerAccessGrantedForUser( | ||
| + c, user.getIdentifier(), /* enabled= */ true, true)); | ||
| + } | ||
| + | ||
| + @Test | ||
| + public void testSetListenerAccessForUser_revokeWithNameTooLong_okay() throws Exception { | ||
| + UserHandle user = UserHandle.of(mContext.getUserId() + 10); | ||
| + ComponentName c = new ComponentName("com.example.package", | ||
| + com.google.common.base.Strings.repeat("Blah", 150)); | ||
| + | ||
| + mBinderService.setNotificationListenerAccessGrantedForUser( | ||
| + c, user.getIdentifier(), /* enabled= */ false, true); | ||
| + | ||
| + verify(mListeners).setPackageOrComponentEnabled( | ||
| + c.flattenToString(), user.getIdentifier(), true, /* enabled= */ false, true); | ||
| + } | ||
| + | ||
| @Test | ||
| public void testSetAssistantAccessForUser() throws Exception { | ||
| UserInfo ui = new UserInfo(); | ||
| -- | ||
| 2.41.0.585.gd2178a4bd4-goog | ||
|
|
Oops, something went wrong.